One of the world’s most popular virtual private networks (VPN) is not so private, according to a complaint filed earlier this week with the US Federal Trade Commission (FTC).

The Center for Democracy & Technology (CDT), a nonprofit that advocates for free speech and privacy, contends that the free Hotspot Shield VPN, a product of AnchorFree, Inc., is engaging in “unfair and deceptive trade practices” by promising, “secure, private and anonymous access to the Internet” when it is actually tracking, collecting and sharing user data with third parties.

At one level, this probably sounds like a “no-such-thing-as-a-free-lunch” situation.

If a service is “free”, in the sense that you’re not paying money for it, then you’re paying in some other way. In the case of Hotspot Shield, that means being required to look at ads or having at least some of your personal data – location, browsing habits, purchasing history etc – collected and sold to third parties for marketing.

But that is at the heart of what has rapidly become a very public squabble between the CDT and AnchorFree, which says Hotspot Shield has more than 500m users. CDT contends that if users are “paying” for a service with their data, that ought to be made more clear to them.

Sophos Home

After all, the whole idea of a VPNs is there in the middle word of the title: “private”. They are promoted as a way to keep your identity and browsing history secret – from everybody.

And that is indeed what AnchorFree promotes. Among the screenshots included in the CDT complaint is a Hotspot Shield VPN description on the iTunes/iOS App Store, which says, “Stay private and anonymous online. Prevent anyone from tracking your IP address, identity and location from websites and online trackers. Enjoy complete anonymity.”

The company also declares there are “no logs kept. Hotspot Shield doesn’t track or keep any logs of its users and their activities. Your security and privacy are guaranteed.”

The service may “enter into agreements with unaffiliated entities which possess technology that allows us to customize the advertising and marketing messages users receive while using the service.”

The service will disclose personal information to law enforcement, not just in response to a warrant or subpoena, but to “otherwise cooperate” with law enforcement or government agencies.

The service doesn’t guarantee that it will create a VPN or use a proxy IP address on all websites.

Beyond that, the CDT complaint claims that Hotspot Shield has been found to be “actively injecting JavaScript codes using iframes for advertising and tracking purposes”.

AnchorFree CEO David Gorodyansky, who has called CDT’s claims “unfounded”, told Naked Security in an email exchange:

Privacy and user trust is the key to our business. We have never given up or sold any user data, and our perspective on user data protection is to not store any data related to user IP addresses or personally identifiable information.

Asked to clarify how that statement squared with language in the company’s privacy policy, Gorodyansky said that “we are in the process of updating our privacy policy to reflect the reality around how our systems work, and the reality is that many of the items [in the above list] are not actually accurate”.

How common such disconnects between promotion and written policy are is hard to estimate. The FTC, while it acknowledged receipt of the complaint from CDT about Hotspot Shield, declined to comment on whether there are any other investigations into allegedly false VPN claims. Joanna Gruenwald Henderson of the FTC said:

FTC Investigations are non-public, and we do not comment on investigations or even the existence of an investigation.

VPNs can be “excellent tools” to improve privacy, anonymity and secrecy,” he wrote, but also noted that, “the ‘private’ in ‘virtual private network’ means nothing more than that the VPN provides a connection that can be made to behave as though you had a direct hookup to your destination network.

“In other words, a VPN is implicitly private more in the sense that your family car is classed as a private/light goods vehicle than in the sense of private-as-in-privacy,” he wrote.

2 comments on “When is a VPN not private? When you’re not paying for it”

While the usual mantra “If a product is free, you’re the product” is very often valid,, it’s a bit too simple to say if you want a private VPN just pay for it. The important part is actually to understand the business model of the service you’re planning to use. In the case of Hotspot Shield VPN, their official business model was clear and plausible: We will inject ads to monetise the service we offer. The issue was that they did not just serve ads, they did advanced profiling to serve targeted ads. The issue was not them being free, it was them being dishonest about their real business model.

I really don’t see why you could not have that with a paid VPN service being dishonest and willing to make more money on your back by also collecting your traffic habits.